CVE program priorities

On Thu, Dec 17, 2015 at 11:17 AM, in the thread on “Upcoming changes for CVE,” Kurt Seifried wrote:

> Is there an ETA on any of this? Days/weeks/months?

It is clear at this point that CVE is not able to cover every known vulnerability. The simple fact is that the number of CVEs published every year has not kept pace with the rate or number of vulnerabilities disclosed. CVE has operated successfully for many years but fundamental changes are needed. Fifteen years ago, we could effectively focus on the U.S. IT sector and tell ourselves that we were essentially providing coverage for the world.  Given the international explosion of software development, that is no longer the case.

As stated on the CVE web site “CVE is sponsored by US-CERT in the office of Cybersecurity and Communications (CS&C) at the U.S. Department of Homeland Security.” DHS has identified a number of Critical Infrastructure Sectors and CS&C is the identified as the lead for the U.S. IT sector. As we consider how to increase the coverage of CVE, CVE must – as its highest priority – effectively provide full coverage of the software and devices used in the U.S. IT sector.

To achieve the fundamental changes required for CVE, we the Editorial Board must wrestle with a number of important topics while CVE continues to operate. We have been actively listening to and hearing the issues and concerns expressed on the Board list and on the outside. We have been working internally to understand the issues and interdependencies limiting CVE and to reflect those back to the Board for consideration.

To that end, we suggest the following list of tasks, in priority order:

0.       The operation of CVE

1.       The prioritized scope of coverage for CVE and the associated Sources and Products

2.       A re-examination and simplification of the way CVE counts vulnerabilities

3.       The required “quality” of final CVE entries

4.       Clear, redefined rules and guidelines for the operation and management of CNAs

5.       Clear, redefined and more inclusive rules for becoming a CNA

6.       Continuing revisions regarding Board membership and the process for adding members

We sincerely appreciate the Board’s continued efforts. You have always been a critical part of CVE, from back in the days of voting on CANs to today. We look forward to comments and discussions on this list to evolve CVE.

Best Regards,

Steve Boyle